Embedded System Security for C/C++ Developers

Who should attend?

"Embedded System Security for C/C++ Developers" is aimed at electronic hardware, software and system-on-chip engineers who need to gain a working knowledge of the software and hardware security issues affecting a microcontroller-based embedded system. Note that this is not a course on the security issues affecting embedded Linux applications - delegates wishing to learn more about that topic are recommended to take the “Comprehensive Embedded Linux Security” course. 

What will you learn?

• Identifying the main security threats and vulnerabilities for an embedded system

• How to use common encryption and decryption standards for data-at-rest and data-in-motion

• Key management and use of certificates for authentication

• How to secure communication with TLS

• Writing secure C code

• How to use a coding standard with static analysis tools to identify security issues in C code

• Using a Secure Software Development methodology and framework

• Embedded system hardware features for security

• Approaches to test security of embedded applications

Pre-requisites

Delegates should have knowledge of the C or C++ programming language and embedded system architecture. In particular a basic level of familiarity with functions, variables, data types, operators, and statements. The C Programming for Embedded Systems or C++ Programming for Embedded Systems courses provide appropriate preparation for engineers who lack this experience.

Training materials

Training materials are renowned for being the most comprehensive and user-friendly available. Their style, content and coverage are unique in the Embedded Systems training world, and have made them sought after resources in their own right. The materials include:

• Fully indexed class notes creating a complete reference manual

• Workbook full of practical examples and solutions to help you apply your knowledge

Structure and Content

Introduction to Security

Why is security necessary • What are vulnerabilities • Overview of Secure Software Development Lifecycle

Writing Secure C/C++ Code 1 - Memory Vulnerabilities and Attacks

Safe use of pointers • Memory allocation and corruption • Buffer overflow • Return Oriented Programming

Writing Secure C/C++ Code 2 - Vulnerabilities and Mitigations

String and format functions • Integer security • Concurrency • File I/O

Lab - Memory Overflow-based attacks

Secure Software Development Lifecycle

Software design goals and threats • Threat modelling

Lab - Creating a Threat Model

Cryptography

Encryption and Decryption • Hashes • Block encryption • Block Cipher Modes • AES • Streaming Ciphers • ChaCha20+Poly1305 • AEAD

Lab - Message encryption/decryption

Cryptography in Action

Key management • Signing • Certificate and Certificate Agencies • Pre-shared secrets

Lab - Installing and using certificates

Transport Layer Security

Secure communications • Random Number Generators • Authentication • IoT Protocols • MQTT • DTLS • HTTPS • TLS Implementation • Wireless LAN Security and Threats

Lab - Sending secure messages

Rules for Secure Coding

Common Criteria • CWE and CVE • The Role of Coding Standards • CERT C and MISRA-C • Dynamic and Static Analysis

Lab - Use of static analysis tools

Secure Embedded System Software Architecture

Secure software architecture goals • Traditional guiding principles • Side channel & timing attacks • Least privilege, trust and secure processes • Arm Platform Security Architecture (PSA)

Lab - Side-channel timing attack

Secure Embedded System Hardware Architecture

Security in hardware • Crypto-Accelerator Overview • Arm TrustZone • Secure boot and update • Hardware options for security

Testing for Security

Unit tests and frameworks • Tools • Penetration Testing • Protocol Fuzzing • Disassembly • Simple Power Analysis (SPA) • Differential Power Analysis (DPA)